Sept Update 2021.007.20091 Bug with Protected View on all Documents.

Report · Sep 16, 2021

On systems that have recently had Adobe Reader DC 2021.007.20091 upgraded.

Any PDF that is opened comes up with the following error message.

Adobe Acrobat Reader DC (32-bit) cannot open in protected view due to a problem with your system configuraiton. Would you like to open the file with protected view disabled.

If we choose option 1. the file will open. But closing it and reopening it. the same error message comes back.
If we choose option 2. the file will not open at all.
If we choose option 3. the file will open. But closing it and reopening it, the same error message comes back.
Disabling Protected view is obviously a very bad idea. We currently control these security settings via Group Policy. If we Change iProtectedview from Dword 2 to 1, we can get internal files to open normally. but PDF's with the downloaded from Internet Flag obviously will still get the issue. However, again. Iprotectedview to 1 or 0 is a very bad idea.

If we downgrade to 2021.005.20060 or lower. We no longer experience this issue. However, downgrading than opens up to the CVE's recently published, that 2021.007.20091 address's.

This is breaking several hundred machines.
Please advise.

Report · Sep 17, 2021

I have a quite similar problem (and sorry do not have any solution either) .

Same Acrobat Reader release: 2021.007.20091

Mac Book Pro: Mac Big Sure. version 11.5.2

Any PDF that is opened( new and old) comes up a page with the warning" Unattended closure of Adobe Reader" and a very detailed report to be automatically sent to Apple. (done but automatic answer with "no solution")

any help

Report · Sep 17, 2021

Hi,

Apologies for the issue that you are facing.

Would it be possible to share the Process Monitor logs from the affected machine using the Log tool: https://www.adobe.com/devnet-docs/acrobatetk/tools/Labs/acromonitor.html

Download the tool, run it, reproduce the issue, and save the logs. Share the logs with us either by uploading them to the Document Cloud Storage: https://documentcloud.adobe.com/link/home/ and share the link with us. Or attach it to the thread.

Report · Sep 17, 2021

I've performed the monitoring and it appears I get a very simlier error without needing to open an actual PDF file. See attached.
Also the link for the logs.

https://documentcloud.adobe.com/link/track?uri=urn:aaid:scds:US:20bd2c00-6c3e-40b4-9fe4-6e1c0e03a6c7

Report · Sep 17, 2021

I was able to get past the First error I repoted by adding this registry key. per this Document.
https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/sandboxprotections.html#appcontainer

bEnableProtectedModeAppContainer

Here is the Logs when I get the Original Error first posted. Thank you for your assistance.

https://documentcloud.adobe.com/link/track?uri=urn:aaid:scds:US:80f6ccd5-3bb4-4c30-bb24-df2c87c6f7e1

Report · Sep 20, 2021

Could you let us know the following:

Is KB5005565 update installed on the machine?
What is the value of registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe? Kindly post a snapshot.
Run Powershell (in admin mode) and execute the command -> Get-ProcessMitigation -Name AcroRd32.exe
Run Powershell (in admin mode) and execute the command -> Get-ProcessMitigation -Name Acrobat.exe

Report · Sep 20, 2021

Yes, it is installed

please see attached screenshot and txt files.

thanks,

Report · Sep 20, 2021

Deleteing the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe

seems to have solved the problem. So we need to invetigate what is inside HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe that is causing the problem and why it works fine with the previous version of Adobe, but not 2021.007.20091

Report · Sep 20, 2021

we have the same issue since one week and since KB5005565 patch was installed, all our user that use adobe are having the same issue adobe freeze and make many task in the task manager we need to kill them all, and then doing a repair on the installation but the problem keep comming days after days, we have curenly approx 275 user that are experiancing the same issue.

Report · Sep 20, 2021

I have 2400 users broken.

Doing the repair fixes the problem until the machine reboots. But I have seen that repairing it 5 or 6 times, then it breaks no matter what. even if I uninstall it and install the old version. Using the Adobe Cleaner seems to make it worse, as cleaning it than insalling the old version or 2 version back. it breaks right away.

Report · Sep 20, 2021

there product is becoming worst and worst, we switch some user to edge for viewer and we are plaining to go to nuance product for pdf editing

Report · Sep 20, 2021

I've been making changes one by one, So far I've determined it appears to be within this set.

These Settings have been in place for several years. Only with the new version of Adobe did it trip Exploit Guard.
Question is, Adobe fix or Microsoft Fix? Being that this has been in place for years, I'm leaning towards Adobe. However... tje Recent windows update too. I'm open minded. 🙂

Payload:
EnableExportAddressFilter : ON
AuditEnableExportAddressFilter : OFF
Override ExportAddressFilter : False
EnableExportAddressFilterPlus : ON
AuditEnableExportAddressFilterPlus : OFF
Override ExportAddressFilterPlus : False
EAFModules : {AcroRd32.dll, Acrofx32.dll, AcroForm.api}
EnableImportAddressFilter : ON
AuditEnableImportAddressFilter : OFF
Override ImportAddressFilter : False
EnableRopStackPivot : ON
AuditEnableRopStackPivot : OFF
Override EnableRopStackPivot : False
EnableRopCallerCheck : ON
AuditEnableRopCallerCheck : OFF
Override EnableRopCallerCheck : False
EnableRopSimExec : ON
AuditEnableRopSimExec : OFF
Override EnableRopSimExec : False

Report · Sep 20, 2021

after testing all the settings. This is what I have found so far.

EnableExportAddressFilterPlus : ON

changing to

EnableExportAddressFilterPlus : OFF

Resolves the issue. Now we need to know the long term solution.

Report · Sep 20, 2021

Hi all,

Thanks for the response. The problem you are facing is same as mentioned in the post https://community.adobe.com/t5/acrobat-reader-discussions/adobe-reader-not-opening/td-p/12383418. Reposting it here as well.

This is because the Windows security update KB5005565 is causing Reader to become incompatible with the process mitigation flag EnableExportAddressFilterPlus. Note that this flag is off by default. They are usually explicitly enabled in the enterprise enviroment. Also note that users having older version of Acrobat will also face this issue with security update KB5005565 installed and EnableExportAddressFilterPlus set.

As a workaround, follow any one of the step mentioned below:

Using Powershell (in admin mode), execute the command -> Set-ProcessMitigation -Name AcroRd32.exe -Disable EnableExportAddressFilterPlus
Delete or reset registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe
Repair Adobe Acrobat Reader. This will automatically reset the registry.
Uninstall KB5005565 security update. Note, Adobe does not recommend uninstalling security update as a first response. Kindly uninstall only if other solutions do not work.

If you are using the enterprise setup (MDM/Intune/GroupPolicy etc.), you will also have to update the Exploit Protection Baseline configuration to reflect this. You can use the following XML as a guide.

We are working with Microsoft to get this resolved at the earliest.

Let us know if that helps.

Regards,

Acrobat Team.

Update:

Microsoft confirmed that this is a known issue for the latest security updates, KB5005565 and KB5005566. They have created files for temporary mitigation workarounds for this issue while a permanent update is created. Please apply the appropriate Known Issue Rollback to your impacted systems and then deploy the policy as mentioned in https://docs.microsoft.com/en-us/troubleshoot/windows-client/group-policy/use-group-policy-to-deploy.... Let us know if it does not work.

Windows 10, version 1903

https://download.microsoft.com/download/7/f/1/7f194890-eea9-4cad-b19f-25ab67e41bbe/Windows%2010%20(1...

Windows 10, version 1909

https://download.microsoft.com/download/7/f/1/7f194890-eea9-4cad-b19f-25ab67e41bbe/Windows%2010%20(1...

Windows 10, version 2004, Windows 10, version 20H2 and Windows 10, version 21H1

https://download.microsoft.com/download/7/f/1/7f194890-eea9-4cad-b19f-25ab67e41bbe/Windows%2010%20(2...

Windows Sever 2020

https://download.microsoft.com/download/7/f/1/7f194890-eea9-4cad-b19f-25ab67e41bbe/Windows%20Server%...

Report · Sep 20, 2021

Thank you.

I've pushed a new Exploit guard Policy via with that flag set to false via GPO and it has resolve the issue.
however, I have only experienced this issue on systems that got the update via Windows Update or Via SCCM/WSUS Updates.

On systems where KB5005565 was slipstreamed into an image and the OS was deployed with adobe 2021.007.20091 AND EnableExportAddressFilterPlus=True.

The Issue does not occur.

This might be helpful informaiton for microsoft and you to assist in investigation.

Thank you for your help.

Report · Sep 21, 2021

Update:

Microsoft confirmed that this is a known issue for the latest security updates, KB5005565 and KB5005566. They have created files for temporary mitigation workarounds for this issue while a permanent update is created. Please apply the appropriate Known Issue Rollback to your impacted systems and then deploy the policy as mentioned in https://docs.microsoft.com/en-us/troubleshoot/windows-client/group-policy/use-group-policy-to-deploy.... Let us know if it does not work.

Windows 10, version 1903

https://download.microsoft.com/download/7/f/1/7f194890-eea9-4cad-b19f-25ab67e41bbe/Windows%2010%20(1...

Windows 10, version 1909

https://download.microsoft.com/download/7/f/1/7f194890-eea9-4cad-b19f-25ab67e41bbe/Windows%2010%20(1...

Windows 10, version 2004, Windows 10, version 20H2 and Windows 10, version 21H1

https://download.microsoft.com/download/7/f/1/7f194890-eea9-4cad-b19f-25ab67e41bbe/Windows%2010%20(2...

Windows Sever 2020

https://download.microsoft.com/download/7/f/1/7f194890-eea9-4cad-b19f-25ab67e41bbe/Windows%20Server%...